from the major-failure dept

Remember how we said that there were a few key amendments that were necessary to make CISPA even close to palatable? Yeah, well, the House Intelligence Committee House Rules Committee issued its rules for the House debate over CISPA... and basically barred the discussion on all of those key amendments. In other words, for all the talk of how they knew they had to make changes and were willing to compromise and come to a real solution? Yeah, it seems like that was all for show.

Amazingly, CDT, who had been a major player fighting against CISPA had backed off its opposition on Tuesday, believing that the authors of CISPA really were willing to negotiate some changes in good faith. This fact was trumpeted by supporters of the bill to show "proof" that they were listening to constructive ideas. However, by barring the consideration of these amendments, they've shown their true colors. CDT is back to fully opposing the bill.

from the don't-buy-the-hype dept

When the new discussion draft of CISPA was published, many people including myself praised the one point of sincere improvement in the bill: the modified definition of cybersecurity that focused on network attacks. Unfortunately, the authors of the bill are spinning this to suggest that CISPA is now nearly perfect, and some media outlets and even advocacy groups are buying it—even though nothing could be further from the truth, and the White House still opposes the nature of the bill. CISPA still has big, big problems. In fact, closer analysis by the CDT and EFF suggest that the language may be worded to allow what is effectively direct government monitoring of private networks.

Government networks are protected by a network security system called Einstein, which is being steadily expanded to do things like analyze the content of communications. Such software meets all the criteria of a "cybersecurity system" under CISPA, and there is serious concern that the bill would permit the government to offer Einstein or a similar system to private cybersecurity companies. By CISPA's definitions, everything collected by such a system would qualify as "cyber threat information" and thus be open game for sharing with the government—and nothing in the bill would prevent these private systems from being connected live to government databases, effectively uniting them with the government's own security network.

Yes, it would still be voluntary—the government couldn't force a cybersecurity provider to install their software, and the provider would need to get permission from its clients to share the data. But it's not hard to envision a situation developing very quickly, in which the government gets a few major security players hooked up and their clients routinely agree without a second thought. After all, CISPA's extremely limited liability provisions mean there's little to no risk for companies. Some may question whether the government would actually move in this direction under CISPA, but given the fact that the NSA has been trying to expand Einstein to private networks since the Bush administration, giving them the legal ability to do so is a very bad idea.